Still this security notice for Popup Builder from Wordfence

  • Still getting this security notice for Popup Builder current version from Wordfence: Same as for a good while now…

    Popup Builder <= 4.3.4 – Sensitive Information Exposure via Imported Subscribers CSV File Wordfence Intelligence > Vulnerability Database > Popup Builder <= 4.3.4 – Sensitive Information Exposure via Imported Subscribers CSV File
    5.3
    Exposure of Sensitive Information to an Unauthorized Actor
    CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    CVE CVE-2024-2541
    CVSS 5.3 (Medium)
    Publicly Published August 28, 2024
    Last Updated September 24, 2024
    Researcher Tim Coen
    Description
    The Popup Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.4 via the Subscribers Import feature. This makes it possible for unauthenticated attackers to extract sensitive data after an administrator has imported subscribers via a CSV file. This data may include the first name, last name, e-mail address, and potentially other personally identifiable information of subscribers.

    References
    plugins.trac.www.ads-software.com

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support Jawad Ahmed

    (@jawada)

    Hello @crzyhrse ,

    Thank you for reaching out and sharing details about the issue. We’re aware of this problem, and a fix has already been implemented. The updated version of the plugin is currently in the testing phase. We appreciate your patience while we prepare for its release.

    If you’d like to access the updated version before the official release, please feel free to reach out through our dedicated support forum. You can visit us at https://help.popup-builder.com/en/, where you’ll find options to chat with us or send an email. Our team is here to help and will be happy to address any concerns you may have.

    Best regards,

    Thread Starter crzyhrse

    (@crzyhrse)

    This is another irresponsible and totally diversionary reply, the exact same one you gave myself and others multiple weeks ago… ?As well as there continues to be exactly zero helpfulness at this link you give…

    You are instead using this issue to push people here into following the link so they will be “tempted” to buy your paid version…   Which I believe is, if that is actually the case, contrary to WordPress rules…

    You need to get a real fix of this issue as an update to your plugin here in the WordPress Plugin Repository, ASAP…  Repeat, ASAP…

    Otherwise WordPress will be notified via some of its more official channels in these regards, so they can perhaps consider what might eventually become some more appropriate and encompassing actions…

    Regards.

    Plugin Support Jawad Ahmed

    (@jawada)

    Hi @crzyhrse

    Thank you for your feedback, and I apologize for any concern caused. I want to assure you that our team is actively working to address the vulnerabilities and will continue to provide fixes promptly as issues arise. Each version of our plugin is carefully updated to handle specific concerns. We are committed to resolving these issues as quickly as possible without compromising the quality of our solutions.

    In the upcoming version we have fixed the import issue via token and csv files will no longer be importable without a token from the site a file was exported.

    Regarding your concerns about the link, our intention is never to mislead but to provide users with direct access to additional support and resources. We value transparency and compliance with WordPress guidelines in all our communications.

    We appreciate your patience and understanding as we work towards a resolution.

    Best Regards

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.